bf753770b8
The ReadCap filter now enforces on per-entity documents (consumers create one doc per entity, so each has a declared policy — private→owner, protected→owner+ connections, public→all). Isolation is genuinely active, not dormant. - connections.ts (new): a BILATERAL connection registry — a link grants protected read only when BOTH sides have asserted it (each assertion bound to its author). A unilateral/self-declared connection grants nothing (closes the confused-deputy hole). declareConnections is authenticated to the current identity. - inbox.post: `from` is bound to the current identity — a spoofed `from` throws. - discovery.submitToIndex: PUBLIC-ONLY — a governed non-public doc is refused (no protected/private leak into the world-readable index). - docs/simulation.md: documents this as application-level emulated isolation on a shared wallet (not crypto); at NextGraph maturity → real caps, consumer unchanged. 89 tests pass (+10 covering: active protected isolation via bilateral connect, unilateral grants nothing, from-spoof rejected, non-public submit refused). tsc rc=0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ng-eventually/client
Two entry points — the data-plane is SDK-identical, the polyfill bootstrap is separate:
| Import | Surface | At migration |
|---|---|---|
@ng-eventually/client |
Same signature as the SDK — ng, useShape, inbox (+ types). Drop-in for @ng-org/web / @ng-org/orm. |
Resolves to the real SDK (build alias removed) — no code change. |
@ng-eventually/client/polyfill |
The only non-SDK surface — configure, setCurrentUser, capability helpers (canRead/canWrite/defaultGrant/grantRead). |
Removed. |
// bootstrap (the only non-SDK call) — inject the REAL SDK
import { configure } from "@ng-eventually/client/polyfill";
configure({ ng: realNg, useShape: realUseShape, sharedWallet, currentUser });
// from here on, pure SDK surface:
import { ng, useShape, inbox } from "@ng-eventually/client";
await ng.doc_create(/* … */);
const set = useShape(MyShape, scope); // filtered to what the user may read
await inbox.post(targetInbox, ref); // deposit (anticipated SDK API)
What the polyfill adds on top of the real SDK (all removed/native at migration):
- Shared-wallet login (one wallet for everyone).
- Capability enforcement — read filter + write guard, on emulated grants attached to documents.
- Anticipated methods (inbox
post, capability ops) with their future-SDK shapes, emulated for now.
Generic: no application domain. The consumer injects shapes and performs the acts of granting access. The client must not contain the global-index curator (a separate package, deferred — see the repo README).